Chrome Enterprise Policy to Block Personal Google Login on macOS via JumpCloud
Overview
To prevent data exfiltration, IT administrators often need to block users from logging into personal Google accounts (e.g., @gmail.com) while allowing access to Corporate Google Workspace accounts (e.g., @netnxt.com).
This is achieved by deploying Google Chrome Policies via JumpCloud. We will configure two specific restrictions:
Browser Profile Restriction: Ensures the browser itself is signed in with the corporate ID (for bookmark/history sync).
Web Session Restriction (The Key Fix): Prevents logging into personal Gmail/Drive websites inside the browser.
The macOS Policy (Custom Profile)
For macOS, the most robust method is deploying a .mobileconfig profile that defines these Chrome policies.
Create a file named
BlockPersonalGmail.mobileconfigwith the content below.Replace
netnxt.comwith your actual domain.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Restricts Google Sign-in to Corporate Domains only.</string>
<key>PayloadDisplayName</key>
<string>Chrome - Block Personal Gmail</string>
<key>PayloadIdentifier</key>
<string>com.netnxt.chrome.restriction</string>
<key>PayloadType</key>
<string>com.google.Chrome</string>
<key>PayloadUUID</key>
<string>38266453-6112-4263-8998-335123987654</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>RestrictSigninToPattern</key>
<string>.*@netnxt.com</string>
<key>SecondaryGoogleAccountSigninAllowedDomains</key>
<array>
<string>netnxt.com</string>
</array>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Chrome Enterprise - Domain Restriction</string>
<key>PayloadIdentifier</key>
<string>com.netnxt.profile.chrome</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>99887766-5544-3322-1100-998877665544</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>Upload to JumpCloud:
Go to Device Management > Policy Management > (+) > Mac > MDM Custom Profile.
Upload the file and bind it to your Mac device group.
User Experience & Validation
Once applied (allow 30 minutes for propagation), you can verify the restriction:
Open Chrome on a managed device.
Navigate to gmail.com and try to sign in with a personal account (e.g.,
user123@gmail.com).The Result: The user will see a Google error page stating:
"This account is not allowed to sign in within this network."
Corporate Access: Try signing in with
employee@netnxt.com. This should proceed normally.
FAQ
1) How do you block personal Google login in Chrome on macOS using JumpCloud?
Use a JumpCloud custom mobileconfig profile with RestrictSigninToPattern set to your corporate domain. Chrome blocks personal Google login and only allows whitelisted Workspace accounts.
2) Will corporate Google Workspace accounts work after applying the Chrome policy?
Yes. Chrome permits sign-in for your corporate Workspace domain while denying personal Gmail accounts at browser login. SSO, bookmarks, and admin-defined domain sessions continue normally.
3) What happens when a user tries to sign in with a personal Gmail account in Chrome on macOS?
Chrome displays an error stating the account is not allowed to sign in within this network. The device accepts USB/HID connections, but Google account authentication is blocked.
4) How can admins validate the Chrome domain restriction is active on macOS?
Open Chrome, attempt sign-in with a personal Gmail account to confirm block behavior, then test Workspace login to verify corporate access proceeds without errors.
